def testSSHLogEvent(self):
"""
Verifies, that events are correctly generated from test log messages.
"""
self.config.input = [
{
"source": "file:filename=" + self.basedir + "test_100_sshlog.log",
"translator": "linebased:rulefile=" + self.basedir + "test_100_sshrules.xml",
}
]
source = FileSource(0, self.config, self.logger, self.queue)
source.work()
source.finish()
# 3rd line should be dropped -> 4 events in total
self.assertEquals(self.queue.qsize(), 3)
# first event
e = self.queue.get()
self.assert_(e.name == "SSH:LOGIN:FAILED")
self.assert_(e.host == "server-002")
self.assert_(e.attributes["username"] == "root")
self.assert_(e.attributes["srchost"] == "10.0.2.68")
# second event
e = self.queue.get()
self.assert_(e.name == "SSH:LOGIN:SUCCESS")
# third event
e = self.queue.get()
self.assert_(e.name == "SYSLOG:UNKNOWN")
self.assert_(e.attributes.has_key("logline"))
# third event should not have the following two attributes, as they were generated by earlier matches
self.assertFalse(e.attributes.has_key("ignore1"))
self.assertFalse(e.attributes.has_key("ignore2"))
def testSSHLogEvent(self):
"""
Verifies, that events are correctly generated from test log messages.
"""
self.config.input = [{
'source':
"file:filename=" + self.basedir + "test_100_sshlog.log",
'translator':
"linebased:rulefile=" + self.basedir + "test_100_sshrules.xml"
}]
source = FileSource(0, self.config, self.logger, self.queue)
source.work()
source.finish()
# 3rd line should be dropped -> 4 events in total
self.assertEquals(self.queue.qsize(), 3)
# first event
e = self.queue.get()
self.assert_(e.name == "SSH:LOGIN:FAILED")
self.assert_(e.host == "server-002")
self.assert_(e.attributes['username'] == "root")
self.assert_(e.attributes['srchost'] == "10.0.2.68")
# second event
e = self.queue.get()
self.assert_(e.name == "SSH:LOGIN:SUCCESS")
# third event
e = self.queue.get()
self.assert_(e.name == "SYSLOG:UNKNOWN")
self.assert_(e.attributes.has_key('logline'))
# third event should not have the following two attributes, as they were generated by earlier matches
self.assertFalse(e.attributes.has_key('ignore1'))
self.assertFalse(e.attributes.has_key('ignore2'))
def testXMLWrite(self):
"""
Just to check that all is running and there are no validation errors.
"""
self.config.input = [{'source':"file:filename="+self.basedir+"test_101_events.xml", 'translator':"xml"}]
source = FileSource(0, self.config, self.logger, self.queue)
source.work()
source.finish()
self.config.output = [{'sink':"file:filename=/dev/null", 'translator':"xml"}]
sink = FileSink(0, self.config, self.logger, self.queue)
sink.start()
self.queue.join()
sink.finish()
sink.join()
def testXMLRead(self):
self.config.input = [{'source':"file:filename="+self.basedir+"test_101_events.xml", 'translator':"xml"}]
source = FileSource(0, self.config, self.logger, self.queue)
source.work()
source.finish()
self.assert_(self.queue.qsize()==2)
event1 = self.queue.get()
event2 = self.queue.get()
self.assert_(event1.getName()=="NIC:ETHERNET:LINKUP")
self.assert_(event1.getDescription()=="The ethernet network internet controller is up.")
self.assert_(event1.getID()=="e9294e806d02fd8ebd90e345434c16a3")
self.assert_(event1.getType()=="raw")
self.assert_(event1.getStatus()=="active")
self.assert_(event1.getHost()=="host-a-0")
self.assert_(event1.getTimestamp()==1243039102)
self.assert_(len(event1.getAttributes())==1)
self.assert_(event1.getAttribute("interface")=="1")
self.assert_(event2.getName()=="MAIL:FRESHCLAM:ERROR")
self.assert_(event2.getHistory()==[{"host":"host-b-0", "rule":{"groupname": "freshclam", "rulename": "detect-single-events"}, "timestamp": 1244014940, "fields": ["status"], "reason": "Single errors can be ignored."}])
